Snort mailing list archives
New to snort (inline mode not rejecting)
From: usa ims <usaims () yahoo com>
Date: Tue, 28 Jul 2015 16:08:50 +0000 (UTC)
Inline mode not rejecting. I'm trying to reject 'ICMP' in my network and the pings are still successful (I know - it's an overkill). I'm still able to ping any nodes in the subnet that Snort is protecting. Snort Version: 2.9.7.3 Netgear Layer 2 Switch with mirroring enabled. Snort seems to be starting fine: Jul 28 11:30:41 snort snort[810]: afpacket DAQ configured to inline. ... Jul 28 11:30:41 snort snort[811]: Commencing packet processing (pid=811) Jul 28 11:30:41 snort snort[811]: Decoding Ethernet I started snort with this command: snort -Q -D -c /etc/snort/snort.conf -i eth1:eth2 --daq afpacket --daq-mode inline --daq-var buffer_size_mb=1024 -l /var/log/snort I have this rule enabled local.rules: reject icmp any any -> any any (msg:"You're doomed!"; sid:478; rev:3;) My snort.conf has the some of the following: #config policy_mode:inline config daq: afpacket config daq_mode: inline config daq_var: buffer_size_mb=1024 var HOME_NET 192.168.0.0/24 var EXTERNAL_NET any Here is the output from u2: IPv6 Event) sensor id: 0 event id: 1496 event second: 1438098558 event microsecond: 471655 sig id: 478 gen id: 1 revision: 3 classification: 0 priority: 0 ip source: fe80::851b:3b6b:9ef3:1ff8 ip destination: ff02::1:ff98:f8eb src port: 0 dest port: 0 protocol: 58 impact_flag: 32 blocked: 1 Packet sensor id: 0 event id: 1496 event second: 1438098558 packet second: 1438098558 packet microsecond: 471655 linktype: 1 packet_length: 86 [ 0] 33 33 FF 98 F8 EB 28 D2 44 71 3A 63 86 DD 60 00 33....(.Dq:c..`. [ 16] 00 00 00 20 3A FF FE 80 00 00 00 00 00 00 85 1B ... :........... [ 32] 3B 6B 9E F3 1F F8 FF 02 00 00 00 00 00 00 00 00 ;k.............. [ 48] 00 01 FF 98 F8 EB 87 00 47 39 00 00 00 00 FE 80 ........G9...... [ 64] 00 00 00 00 00 00 E1 C3 6F 7E CA 98 F8 EB 01 01 ........o~...... [ 80] 28 D2 44 71 3A 63 (.Dq:c What am I missing? Thanks in advance.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New to snort (inline mode not rejecting) usa ims (Jul 28)
- Re: New to snort (inline mode not rejecting) usa ims (Jul 30)
- Re: New to snort (inline mode not rejecting) Al Lewis (allewi) (Jul 30)
- Re: New to snort (inline mode not rejecting) Al Lewis (allewi) (Jul 30)
- Re: New to snort (inline mode not rejecting) Al Lewis (allewi) (Jul 30)
- Re: New to snort (inline mode not rejecting) usa ims (Jul 30)